Wireshark-users: Re: [Wireshark-users] HTTP not decoded
From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 3 Nov 2010 17:53:13 +0100
On 3 nov 2010, at 16:30, Srivats P wrote:

> Wireshark does not seem to decode TCP port 80 as HTTP for the attached
> pcap file - instead it shows the HTTP data as "TCP segment data".
> 
> Is this expected behaviour? Is it because the file does not contain
> the TCP handshake packets?

The problem is not that wireshark does *not* decode traffic on port 80 as HTTP, but the problem is that it *does* decode this traffic as HTTP, but the contents of the packet is not complete. The HTTP header in the packet is not terminated with a double CR/LF. Therefore Wireshark will continue to search for the remainder of the HTTP header to do reassembly. That's why you see "[TCP segment of a reassembled PDU]". Unfortunately it fails at it's endeavors as the remainder of the HTTP header is not in the tracefile.

As Mike pointed out, you can disable the reassembly to make Wireshark interpret each TCP packet to it's best abilities without trying to reassemble data so that full PDU's can be handed over to the HTTP dissector.

Cheers,


Sake